U.S. Senator Russ Feingold on the Computer Trespass Clarification Act September 8, 2004 Mr. FEINGOLD. Mr. President, I am pleased to introduce the Computer Trespass Clarification Act of 2004, which would amend and clarify section 217 of the USA-PATRIOT Act. Section 217 addresses the interception of computer trespass communications. This bill would modify existing law to more accurately reflect the intent of the provision, and also protect against invasions of privacy. Section 217 was designed to permit law enforcement to assist computer owners who are subject to denial of service attacks or other episodes of hacking. The original Department of Justice draft of the bill that later became the PATRIOT Act included this provision. A section-by-section analysis provided by the Department on September 19, 2001, stated the following: Current law may not allow victims of computer trespassing to request law enforcement assistance in monitoring unauthorized attacks as they occur. Because service providers often lack the expertise, equipment, or financial resources required to monitor attacks themselves as permitted under current law, they often have no way to exercise their rights to protect themselves from unauthorized attackers. Moreover, such attackers can target critical infrastructures and engage in cyberterrorism. To correct this problem, and help to protect national security, the proposed amendments to the wiretap statute would allow victims of computer attacks to authorize persons ``acting under color of law'' to monitor trespassers on their computer systems in a narrow class of cases. I strongly supported the goal of giving computer system owners the ability to call in law enforcement to help defend themselves against hacking. Including such a provision in the PATRIOT Act made a lot of sense. Unfortunately, the drafters of the provision made it much broader than necessary, and refused to amend it at the time we debated the bill in 2001. As a result, the law now gives the government the authority to intercept communications by people using computers owned by others as long as they have allegedly engaged in some unauthorized activity on the computer, and the owner gives permission for the computer to be monitored. Only people who have a ``contractual relationship'' with the owner allowing the use of a computer are exempt from the definition of a computer trespasser under section 217 of the PATRIOT Act. Many people--for example, college students, patrons of libraries, Internet cafes or airport business lounges, and guests at hotels--use computers owned by others with permission, but without a contractual relationship. They could end up being the subject of government snooping if the owner of the computer gives permission to law enforcement. My bill would clarify that someone who has been given permission to use a computer by the owner or operator of that computer is not a computer trespasser. It would bring the existing computer trespass provision in line with the purpose of section 217 as expressed in the Department of Justice's initial explanation of the provision. Section 217 was intended to target only a narrow class of people: unauthorized cyberhackers. It was not intended to give the government the opportunity to engage in widespread surveillance of computer users without a warrant. We don't know, of course, whether such surveillance is taking place. Unless criminal charges are brought against someone as a result of such surveillance, there would never be any notice at all that the surveillance has taken place. The computer owner authorizes the surveillance, and the FBI carries it out. There is no warrant, no court proceeding, no opportunity even for the subject of the surveillance to challenge the assertion of the computer owner that some unauthorized use of the computer has occurred. The Computer Trespass Clarification Act would modify the computer trespass provision to protect against abuse, while still maintaining its usefulness in cases of denial of service attacks and other forms of hacking. First, it would require that the owner or operator of the protected computer authorizing the interception has been subject to ``communications activity that threatens the integrity or operation of such computer.'' In other words, the owner has to be the target of some kind of hacking. Second, the bill would clarify that to be excluded from the definition of computer trespasser, a person who has permission to use a computer does not need to have a contractual relationship granting that permission. Third, the bill limits the length of warrant-less surveillance to 96 hours. This is twice as long as is allowed for an emergency wiretap. With four days of surveillance, it should not be difficult for the government to gather sufficient evidence of wrongdoing to obtain a warrant if continued surveillance is necessary. In addition, the bill would require the Attorney General to annually report on the use of Section 217 to the Senate and House Judiciary Committees. Section 217 is one of the provisions that is subject to the sunset provision in the PATRIOT Act and will expire at the end of 2005. We in the Congress need to do more oversight of the use of this and other provisions of the PATRIOT Act in order to evaluate their effectiveness. The computer trespass provision now in the law as a result of section 217 of the PATRIOT Act leaves open the possibility for significant and unnecessary invasions of privacy. The reasonable and modest changes to the provision contained in this bill preserve the usefulness of the provision for investigations of cyberhacking, but reduce the possibility of abuse. We must continually seek to balance the need for effective tools to fight crime and terrorism and the civil liberties of our citizens. The Computer Trespass Clarification Act strikes the right balance and I urge my colleagues to support it.

# # #